Action Alert: Illegal NSA Wiretapping Program Involved
Data-Mining

News reports over the holidays revealed that the US National
Security Agency (NSA)'s presidentially-approved domestic
spying program is even broader than the White House
acknowledged.

First it was revealed that the Administration has been
wiretapping the international phone and email communications
of people inside the US without getting search warrants.

Now we learn that, according to the New York Times and the
Los Angeles Times, the NSA has gained access to major
telecommunications switches inside the US, giving it
essentially unchecked access not only to international
communications but to purely domestic emails and phone calls
as well. Those newspapers, and a new book by New York Times
reporter James Risen, have further revealed that the NSA has
been using that access--as well as access to
telecommunications companies' databases--to data-mine Internet
logs and phone logs for suspicious patterns, presumably to
find new targets for the wiretapping program.

The continuing revelations about the NSA's illegal
surveillance activities make a mockery of the current debate
over USA PATRIOT reform. The Administration has been
vigorously arguing against adding any new checks and balances
to its foreign intelligence capabilities in the new PATRIOT
renewal bill, yet the White House has now admitted that it
authorized the NSA to bypass the few checks and balances
remaining after PATRIOT. What good is legislative reform if
the Administration considers itself above the law?

EFF is actively investigating all options for going to court
and challenging the NSA program. However, the exact scope of
the "President's Program," as it has been called, is still
very unclear, and these new revelations show just how badly a
Congressional inquiry is needed to get to the bottom of
things. Senator Arlen Specter (R-PA) has vowed to hold
hearings in the Senate Judiciary Committee, but neither the
House nor Senate Intelligence Committees has announced
similar plans. What is needed here is a full-court press
from Congress--it appears that the facts we've gotten so far
are potentially the tip of the iceberg.

Specter's hearings start this month. The debate over PATRIOT
will resume, too, as the "sunsetting" provisions of the Act
are now set to expire on February 3rd. Particularly in light
of the NSA scandal, Congress should not even consider
renewing the spying powers in the PATRIOT Act until the
public hears the full story of the President's Program.

Judge Grants Preliminary Approval for Sony BMG CD
Settlement

Customers to Get Clean CDs and Extra Downloads Because of
Flawed Copy-Protection

New York - A US District Court judge in New York gave
preliminary approval Friday to a settlement for music fans
who purchased Sony BMG music CDs containing flawed copy
protection programs.

Under the proposed settlement, Sony BMG will stop
manufacturing CDs with both First4Internet XCP and SunnComm
MediaMax software. People who have already purchased the
flawed CDs will be offered the same music without digital
rights management (DRM), and some will also receive
downloads of other Sony BMG music from several different
services, including iTunes. The settlement would also waive
several restrictive end user license agreement (EULA) terms
and commit Sony BMG to a detailed security review process
prior to including any DRM on future CDs, as well as
providing for adequate pre-sale notice to consumers in the
future.

Consumers can exchange CDs with XCP software for clean CDs
now, but the rest of the settlement benefits will not be
available until an official notice to the class has been
issued. The court ordered that the notice--via newspaper
ads, Google ads, email and other means--must occur by
February 15. Once that notice goes out, consumers can begin
submitting claims for settlement benefits and should get
those benefits within 6-8 weeks of submitting the proof of
claim form.

To help consumers figure out what the settlement means to
them, EFF has posted a list of frequently asked questions
(FAQ) on its website. The FAQ tells music fans how to
return their flawed CDs, how to get their clean CDs and
downloads in exchange, and how to opt-out of this
settlement. The deadline to opt-out of the settlement is
May 1, 2006.

"The settlement helps consumers finally get music that will
play on their computers without invading their privacy or
eroding their security," said EFF Staff Attorney Corynne
McSherry. "Now that the court has given preliminary
approval, the next step is to make sure that the millions
of music fans who bought these XCP and MediaMax CDs
understand what is available and how to get it."

The problems with the Sony BMG CDs surfaced when security
researchers discovered that XCP and MediaMax installed
undisclosed--and in some cases, hidden--files on users'
Windows computers, potentially exposing music fans to
malicious attacks by third parties. The infected CDs also
communicated back to Sony BMG about customers' computer use
without proper notification.

EFF and its co-counsel--Green and Welling, Lerach,
Coughlin, Stoia, Geller, Ruchman and Robbins, and the Law
Offices of Lawrence E. Feldman and Associates--along with a
coalition of other plaintiffs' class action counsel,
reached the settlement after negotiations with Sony BMG
over the last month.

You can stay updated on the progress of the settlement
agreement by visiting the FAQ page.

EFF Calls on EMI to Permit Security Research on
Copy-Protected CDs

Fear of Legal Action Chills Computer Security Researchers

San Francisco - The Electronic Frontier Foundation (EFF)
this week sent an open letter to EMI Music -- the record
label representing artists including Paul McCartney and
Coldplay-- calling on it to agree not to pursue any legal
action against computer security researchers who examine the
copy-protection technologies used on some EMI CDs.

In late 2005, independent researchers uncovered security
problems with Sony-BMG copy-protected CDs, forcing the
label to issue patches and uninstallers to those customers
who had played the CDs on Windows computers. Several record
labels owned by EMI, including Virgin Records, Capitol
Records, and Liberty Records, use similar copy-protection
technologies supplied by Macrovision. On those CDs, an end
user license agreement (EULA) forbids reverse engineering
for any reason, including security testing. In addition,
the Digital Millennium Copyright Act (DMCA) has chilled the
efforts of computer security researchers interested in
examining copy-protected CDs.

In the open letter published Wednesday, EFF urges EMI Music
to publicly declare that it will not take legal action
against computer security researchers who study
copy-protected CDs released by record labels owned by EMI.

"Music fans deserve to know whether EMI's copy-protected
CDs are exposing their computers to security risks," said
Fred von Lohmann, senior staff attorney with EFF. "When it
comes to computer security, it pays to have as many
independent experts kick the tires as possible, and that
can only happen if EMI assures those experts that they
won't be sued for their trouble."

Berlind, Neuros Fight Against Analog Hole Plugging
The ZDNet editor and CEO of consumer tech company point out
how any new legislation would kill tech innovation and raise
prices.
http://blogs.zdnet.com/BTL/?p=2321

Reproduction of this publication in electronic media is
encouraged. Signed articles do not necessarily represent the
views of EFF. To reproduce signed articles individually,
please contact the authors for their express permission.
Press releases and EFF announcements & articles may be
reproduced individually at will.